wKioL1YwHLCRLfYIAAFqwcC7Q08782.jpg

IMAGE_DOS_HEADER STRUCT 

+00h WORD e_magic      // Magic DOS signature MZ(4Dh 5Ah)     DOS可执行文件标记 

+02h  WORD e_cblp        // Bytes on last page of file   

+04h WORD e_cp            // Pages in file

+06h WORD e_crlc          // Relocations

+08h WORD e_cparhdr   // Size of header in paragraphs

+0ah WORD e_minalloc   // Minimun extra paragraphs needs

+0ch WORD e_maxalloc  // Maximun extra paragraphs needs

+0eh WORD e_ss            // intial(relative)SS value     DOS代码的初始化堆栈SS 

+10h WORD e_sp           // intial SP value                DOS代码的初始化堆栈指针SP 

+12h WORD e_csum       // Checksum 

+14h WORD e_ip           //   intial IP value                    DOS代码的初始化指令入口[指针IP] 

+16h WORD e_cs           // intial(relative)CS value                    DOS代码的初始堆栈入口 

+18h WORD e_lfarlc       // File Address of relocation table 

+1ah  WORD e_ovno      //   Overlay number 

+1ch WORD e_res[4]     // Reserved words 

+24h WORD e_oemid    //   OEM identifier(for e_oeminfo) 

+26h WORD e_oeminfo   //  OEM information;e_oemid specific  

+29h WORD e_res2[10]  //  Reserved words 

+3ch LONG   e_lfanew    // Offset to start of PE header             指向PE文件头 

} IMAGE_DOS_HEADER ENDS

 

1.该结构有两个重要的成员,DWORD e_magic和LONG e_lfanew。DWORD e_magic为"MZ",定义为IMAGE_DOS_SIGNATURE。LONG e_lfanew存放PE头的文件偏移量。

#define IMAGE_DOS_SIGNATURE                0x4D5A      // MZ
#define IMAGE_OS2_SIGNATURE                 0x4E45      // NE
#define IMAGE_OS2_SIGNATURE_LE           0x4C45      // LE
#define IMAGE_NT_SIGNATURE                  0x50450000  // PE00


 2.DOS Stub
它是一个总是由大约100个字节所组成的和MS-DOS 2.0兼容的可执行体,用来输出象

“this program needs windows NT”之类的错误信息。win32系统都直接跳过DOS Stub定

位到PE头。